!30 Fix CVE-2020-7059

From: @panxh_purple
Reviewed-by: @small_leek
Signed-off-by: @small_leek

backport-CVE-2020-7059-Fix-79099-OOB-read.patch

@@ -0,0 +1,80 @@
+From 0f79b1bf301f455967676b5129240140c5c45b09 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+---
+ ext/standard/string.c                 |  6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index da51cd0966fc..fb44cc505d9d 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
+ 				if (state == 4) {
+ 					/* Inside <!-- comment --> */
+ 					break;
+-				} else if (state == 2 && *(p-1) != '\\') {
++				} else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ 					if (lc == c) {
+ 						lc = '\0';
+ 					} else if (lc != '\\') {
+@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
+ 
+ 			case '!':
+ 				/* JavaScript & Other HTML scripting languages */
+-				if (state == 1 && *(p-1) == '<') {
++				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ 					state = 3;
+ 					lc = c;
+ 				} else {
+@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
+ 
+ 			case '?':
+ 
+-				if (state == 1 && *(p-1) == '<') {
++				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ 					br=0;
+ 					state=2;
+ 					break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 000000000000..7c842f4654f0
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""

php.spec

@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       9
+Release:       10
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -97,6 +97,7 @@ Patch6023:     CVE-2020-7066.patch
 Patch6024:     CVE-2019-11048.patch
 Patch6025:     CVE-2020-7068.patch
 Patch6026:     CVE-2020-7063.patch
+Patch6027:     backport-CVE-2020-7059-Fix-79099-OOB-read.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1158,6 +1159,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Fri Jan 15 2021 panxiaohe <panxiaohe@huawei.com> - 7.2.10-10
+- Fix CVE-2020-7059
+
 * Thu Dec 17 2020 wangchen <wangchen137@huawei.com> - 7.2.10-9
 - Fix CVE-2020-7063